php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74954 null deref and segfault in zend_generator_resume()
Submitted: 2017-07-19 19:57 UTC Modified: 2017-07-22 09:06 UTC
From: geeknik at protonmail dot ch Assigned: bwoebi
Status: Closed Package: Reproducible crash
PHP Version: 7.1.7 OS: Fedora 26 x64
Private report: No CVE-ID:
 [2017-07-19 19:57 UTC] geeknik at protonmail dot ch
Description:
------------
Compiled with afl-clang-fast on Fedora 26 x64. While fuzzing with AFL this null deref triggered a segfault.

Test script:
---------------
<?php
function from() {
        yield 1;
        throw new Exception();
}

function gen($gen) {
        try {
                var_dump(yield from $gen);
        } catch (Exception $e) { print "Caught exception!\n$e\n"; }
}

$gen = from();
$gens[] = gen($gen);
$gens[] = gen($gen);

foreach ($gens as $g) {
        $g->current();
}

do {
        foreach ($gens as $i => $g) {
                $g->next();
        }
} while($gens[0]->valid());
?>


Expected result:
----------------
No crash.

Actual result:
--------------
Caught exception!
Exception in /root/php-tmp/tmp/1.php:4
Stack trace:
#0 /root/php-tmp/tmp/1.php(9): from()
#1 [internal function]: gen(Object(Generator))
#2 /root/php-tmp/tmp/1.php(23): Generator->next()
#3 {main}
/root/php-7.1.7/Zend/zend_hash.c:1291:41: runtime error: left shift of 32768 by 16 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_hash.c:1291:41 in
/root/php-7.1.7/Zend/zend_smart_str.c:44:12: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_smart_str.c:44:12 in
/root/php-7.1.7/Zend/zend_smart_str.c:44:12: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_smart_str.c:44:12 in
/root/php-7.1.7/Zend/zend_smart_str.c:45:28: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_smart_str.c:45:28 in
/root/php-7.1.7/Zend/zend_smart_str.c:45:28: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_smart_str.c:45:28 in
Caught exception!
ClosedGeneratorException: Generator yielded from aborted, no return value available in /root/php-tmp/tmp/1.php:9
Stack trace:
#0 [internal function]: gen(Object(Generator))
#1 /root/php-tmp/tmp/1.php(23): Generator->next()
#2 {main}
/root/php-7.1.7/Zend/zend_generators.c:802:29: runtime error: member access within null pointer of type 'zend_execute_data' (aka 'struct _zend_execute_data')
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_generators.c:802:29 in
ASAN:DEADLYSIGNAL
=================================================================
==27573==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x00000207dcb5 bp 0x7fff3545ab10 sp 0x7fff3545a980 T0)
==27573==The signal is caused by a WRITE memory access.
==27573==Hint: address points to the zero page.
    #0 0x207dcb4 in zend_generator_resume /root/php-7.1.7/Zend/zend_generators.c
    #1 0x23792d6 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /root/php-7.1.7/Zend/zend_vm_execute.h:970:4
    #2 0x21a9e8a in execute_ex /root/php-7.1.7/Zend/zend_vm_execute.h:432:7
    #3 0x21ab3f7 in zend_execute /root/php-7.1.7/Zend/zend_vm_execute.h:474:2
    #4 0x1e37ccd in zend_execute_scripts /root/php-7.1.7/Zend/zend.c:1476:4
    #5 0x1aa8eb2 in php_execute_script /root/php-7.1.7/main/main.c:2537:14
    #6 0x2984423 in do_cli /root/php-7.1.7/sapi/cli/php_cli.c:993:5
    #7 0x2980752 in main /root/php-7.1.7/sapi/cli/php_cli.c:1381:18
    #8 0x7f3fc73b54d9 in __libc_start_main /usr/src/debug/glibc-2.25-24-g49f97e6/csu/../csu/libc-start.c:295
    #9 0x43aad9 in _start (/root/php-7.1.7/sapi/cli/php+0x43aad9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-7.1.7/Zend/zend_generators.c in zend_generator_resume
==27573==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-22 09:06 UTC] bwoebi@php.net
-Assigned To: +Assigned To: bwoebi
 [2017-07-22 09:14 UTC] bwoebi@php.net
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bad5d0d6c56e078502b21ebdbf829b7a1c9b3bd3
Log: Fixed bug #74954 (null deref and segfault in zend_generator_resume())
 [2017-07-22 09:14 UTC] bwoebi@php.net
-Status: Assigned +Status: Closed
 [2017-07-22 09:15 UTC] bwoebi@php.net
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bad5d0d6c56e078502b21ebdbf829b7a1c9b3bd3
Log: Fixed bug #74954 (null deref and segfault in zend_generator_resume())
 [2017-07-22 09:16 UTC] bwoebi@php.net
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bad5d0d6c56e078502b21ebdbf829b7a1c9b3bd3
Log: Fixed bug #74954 (null deref and segfault in zend_generator_resume())
 [2017-07-22 09:17 UTC] bwoebi@php.net
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bad5d0d6c56e078502b21ebdbf829b7a1c9b3bd3
Log: Fixed bug #74954 (null deref and segfault in zend_generator_resume())
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC